Arizona election auditors: Deleted database recovered, ballot chain-of-custody still missing

Arizona Senate Republicans tried to ease tensions with Maricopa County officials angry about the ongoing election audit in a special hearing Tuesday. 

"This has nothing to do with overturning the election" that Joe Biden won in the state's largest county, Senate President Karen Fann said in her opening statement. She claimed to have always said she doesn't expect to find "intentional wrongdoing" by county officials.

The Board of Supervisors said they wouldn't testify at Tuesday's hearing in their own Monday meeting and formal response to Fann's questions about irregularities and missing data discovered by Senate-hired auditors.

Those auditors updated Fann and Senate Judiciary Committee Chairman Warren Petersen on their efforts Tuesday. Cyber Ninjas CEO Doug Logan said he expected to complete the audit by the end of June, blaming technical issues and insufficient staffing for the slow pace.

CyFIR founder Ben Cotton said he had resolved one of the most bitter disputes between Senate Republicans and county officials: the alleged deletion of the main database for the 2020 general election.

Despite finding a "master file table" confirming that a database directory was deleted from the server, Cotton has been able to recover the deleted files and does not need anything more from the county, he told lawmakers. "I think that's some good news," Petersen replied.

The county does not want to let the issue go. "Maricopa County did not delete files when preparing the subpoenaed SQL server for delivery," it said in a tweet thread shortly after the hearing ended.

Senate Republicans emphasized they were making good-faith efforts to fix ongoing problems with Arizona elections revealed by the audit, including through legislative changes to chain-of-custody requirements.

This is the first forensic audit of this scale in American history, Petersen said. Just like election counting and storage rooms are monitored by 24-hour livestreams and armed security, "we have 24-hour efforts to shut down the audit."

Fann said she was saddened by the "hurtful comments" made by supervisors Monday. "It has been nothing but delays, delays, delays" as county officials refuse to answer "our simplest questions." 

Personally identifiable information 'should not exist on that router, period'

Senate Republicans opened the hearing by seeking to establish the technical bona fides of the contractors, especially Cyber Ninjas, which was portrayed as incompetent and unqualified to conduct election audits in the supervisors' Monday letter.

Cyber Ninjas has done this sort of work for other counties, Logan told lawmakers. Its Maricopa County audit is different from earlier audits by the county because it's focused on the full election results, not just a sample of ballots or a review of software.

Cotton said he has 25 years of computer forensics and incident response expertise, including work on government projects requiring high security clearances, and he regularly serves as an expert technical witness in litigation. CyFIR has never had an exposure or a leak.

Ken Bennett, the former Arizona secretary of state now serving as liaison between the Senate and county, said the latter may have misunderstood Fann's question about chain-of-custody documentation.

The transfer of ballots and machines April 21-22 went smoothly, with only "minor issues" discovered on a few dozen pallets of ballots, he said, praising co-director of elections Scott Jarrett. But Bennett still has not been given documentation about the chain of custody between the November election and the April handover. These procedures are different in every county, he confirmed to Fann.

Bennett was similarly flummoxed by conversations with his county counterpart over the transfer of routers involved in the election, now the subject of a stalemate with Sheriff Paul Penzone.

He offered to send the contractor to Maricopa County Tabulation and Election Center (MCTEC) to inspect the routers "while they were still installed and in place," but his counterpart told Bennett the next day the equipment had already been removed and replaced "at great expense."

The subsequent offer of "virtual access" to the routers was rescinded two weeks later, with a new security justification by Penzone, according to Bennett. Fann also blamed the county for the increased taxpayer expense to conduct the audit offsite from MCTEC.

The county's privacy explanation for withholding the routers doesn't make sense, according to Cotton. Alleged personally identifiable information of county residents "should not exist on that router, period," he said. The security risks to law enforcement programs, cited in Monday's letter from the county, would mean election data "had to be exposed to the internet," contrary to earlier representations by the county.

Cotton's inability to get administrator- or technician-level access to Dominion Voting Systems tabulators from the county has thwarted his attempts to confirm whether the machines had internet connections, he said. 

The auditor found two RJ-45 network connectors with unexplained configurations, which might indicate they had Verizon Wireless cards inside. If so, "by definition [they] would have touched the internet," Cotton said.

Logan of Cyber Ninjas said he wasn't satisfied by the county's explanation of why the actual number of ballots in a batch often did not match the "pink report slip" on the box. 

He knows that duplicates are created when damaged ballots can't be read by the machine, but the documentation forms the county provided in Monday's letter are not filled out properly, Logan said. Bennett added that the county's damaged and duplicate ballots are sometimes not correctly associated with each other.